InfoSec Must have Visibility

Risk, Governance, and Compliance is all about Visibility

It is no secret that enterprises moving towards digital transformation are taking on more risk. However, measuring and managing that risk has evolved into more of an art than science. And as will any art, judging effectiveness is all but impossible. A critical failing when it comes to identifying risk and its consequences.

While risk is nothing new, technology has changed how risk is viewed and more importantly, how risk is amplified. Something enterprises have become well aware of as their intellectual property transforms from the physical realm to the digital realm. Add to that the requirements set forth by regulatory agencies, as well as privacy concerns, and enterprises are now faced with a conundrum, one that has become clouded by data streams, logs, audits, and other components that only add to the conundrum that can be called effective risk governance.

A survey conducted by Thomson Reuters Regulatory Intelligence managing editor Alexander Robson revealed that managing regulatory risk is on the rise for enterprises and is being driven by greater regulatory demands. Yet, coordination between internal control functions remains fairly low. The survey shows that only half of all compliance functions are addressed for more than one hour each week with internal audit. That translates to firms missing opportunities to leverage increasingly and persistently scarce resources for risk assessment and management.

Simply put, enterprises need better tools to deal with the trinity of compliance, governance, and risk. What’s more, those tools should be able to quickly expose any shortcomings for risk management and bring visibility to the complex relationship between compliance and risk, especially when that risk resonates into the realm of cybersecurity.

“The cybersecurity risks organizations face are forcing organizations to invest significantly in cybersecurity technology, but what is missing is a platform to evaluate their overall preparedness and governed situational awareness,” said Martin Kuppinger, founder and principal analyst, KuppingerCole, an international and independent analyst organization headquartered in Europe.

Perhaps that challenge is best resolved by taking on a different mindset when it comes to governing risk, at least that is what Ken Pfeil, chief architect for TechDemocracy proposes. Pfeil said “senior decision makers must be able to assess and clearly communicate where the enterprise stands versus industry best practices and standards. They must also be able to pinpoint inefficiencies, prioritize risk investments and continually track progress.”

Pfeil, who was once a CISO, stresses the importance of having a unified view of risk, and said “even in large organizations, I found it particularly challenging to obtain a holistic view of the risk posture, because I was limited to piecemeal assessments coming from the tools I was using to protect the enterprise. That approach not only lacks objectivity, it fails to show the gaps that exist in protection. We’ve created a platform that breaks down those limitations and puts companies on a path to intelligent risk assurance.”

It is those observations that led TechDemocracy to launch the Intellicta platform, a solution designed to bring critical information elements together to give organizations a unified view of their compliance, risk, security and governance tools. “CISOs have been working hand in hand with other business functions to implement cybersecurity solutions, but for those accountable to boards of directors for governance, the CROs, CIOs, CEOs and CFOs, did not have a way to evaluate their performances collectively against the business objectives and to create one common picture of their risk situation” said Gautam Dev, global managing principal, TechDemocracy.

Simply put, regardless of the platforms put in place, it all comes down to visibility. In other words, today’s CISOs (and others charged with compliance and risk avoidance) need a methodology that gives them a crystal-clear view of an organization’s security posture. However, a single view is not enough when it comes to proving acceptable risk. That methodology must also have a holistic approach, one where visualization is part of the equation, easing the chore of explaining risk, compliance, and relative effectiveness to board members, C-Level executives, and even more importantly, those auditing systems for compliance.

Shifting the chores of risk assessment from an art to a science is quickly becoming an accomplishment that many organizations must achieve if they expect to meet the rigorous demands of new legislation, privacy laws and compliance. Magic tricks aside, enterprises will have to turn to governance platforms that give the whole risk picture and can automate the tedious tasks of information gathering and log parsing, giving CISOs that much-needed holistic view into risk.